โ
Case #568
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 95% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpSigStub.exe
HASH:
935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030
PROCESS_ID:
17988
IOCs:
935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpSigStub.exe
MITRE:
T1036
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpSigStub.exe",
"HASH": "935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "00647866-2ff6-4248-9830-71d35352d10a",
"event_time": 1774468114361,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6382,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "88b048d207538b2cf3cd029569c43c17"
}
},
"detect_id": "71bf5aa6-3cfe-4bc4-8b2e-413369c43c18",
"gen_time": 1774468120743,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468114\u0026selected=88b048d207538b2cf3cd029569c43c17",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "00647866-2ff6-4248-9830-71d35352d10a",
"event_time": 1774468114361,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6382,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "88b048d207538b2cf3cd029569c43c17"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468120000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system process (Windows Defender update) running from an expected temporary location.",
"investigation_questions": [
"Is the binary digitally signed by Microsoft?",
"Are there any other suspicious processes running on this host at the same time?"
],
"ioc_analysis": "The hash (935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030) has a clean reputation on VirusTotal (0/72) and is identified as the legitimate MpSigStub.exe binary. The file path C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpSigStub.exe is a standard staging location for Microsoft updates.",
"iocs_extracted": [
"935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030",
"C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpSigStub.exe"
],
"mitre_techniques": [
"T1036"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required",
"Consider tuning the rule to exclude signed Microsoft binaries in C:\\Windows\\Temp\\ to reduce noise"
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on a legitimate Microsoft Windows Defender binary, MpSigStub.exe, being written to a temporary directory. This is a common occurrence during Defender signature updates and aligns with historical false positive patterns for this rule.\n\n**IOC Analysis:** The hash (935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030) has a clean reputation on VirusTotal (0/72) and is identified as the legitimate MpSigStub.exe binary. The file path C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpSigStub.exe is a standard staging location for Microsoft updates.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a legitimate Windows Defender binary (MpSigStub.exe) executing in a temporary directory during signature updates. Historical feedback and investigation results confirm this is a common benign occurrence for Microsoft-signed system processes.\n\n**IOC Analysis:** MpSigStub.exe is a known Microsoft-signed component used by Windows Defender to update signatures. Its execution from C:\\Windows\\Temp\\ is standard behavior during maintenance cycles, and the process tree shows no suspicious child processes or anomalous command-line arguments.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection is a false positive as MpSigStub.exe is a legitimate Microsoft-signed binary associated with Windows Defender ATP, commonly written to temporary directories during signature updates.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpSigStub.exe is atypical but legitimate for Windows Defender operations. HASH: 935c8fb7d58e4845dec66063f67f623afa5cbfeccbd6eca726fecab21e362030 is likely Microsoft-signed, confirmed by investigation and IOC validation rules.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-25T22:14
๐ค FusionSOC AI
2026-03-25T22:13
๐ค FusionSOC AI
2026-03-25T22:13
๐ค FusionSOC AI
2026-03-25T22:13
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:14:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 100% ...
2026-03-25T22:13:59
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:13:59
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:13:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider tuning the rule to exclude signed Microsoft binaries in C:\Windows\Temp...
2026-03-25T22:13:59
FusionSOC
Response action queued: recommended on Consider tuning the rule to exclude signed Microsoft binaries in C:\Windows\Temp\ to reduce noise
2026-03-25T22:13:59
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:13:59
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:13:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 mins...
2026-03-25T22:13:58
FusionSOC
Response action queued: recommended on No action required
2026-03-25T22:13:58
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:13:58
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:13:57
FusionSOC AI
Detection 71bf5aa6-3cfe-4bc4-8b2e-413369c43c18 triaged as false_positive (low severity, confidence: 100%)
2026-03-25T22:13:57
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB